[Gmail-Lounge] Re: php questions

On 12/3/05, Allen Day <so.orange@gmail.com> wrote:
>
>
> I'd just like to mention that your arguments in this thread are "new"
> arguments replacing the arguments prior used--you've gone from "If you have
> htaccess or mod_rewrite, you're endangering your data!" to "If you have
> these things, you're endangering the rest of the internet!" -- changing
> tactics, confused, what? ;) Y

The arguments haven't changed, just your interpretation of them has.

> Kass Lloyd <kasslloyd@gmail.com> wrote:
> >
> >
> >Theres a couple security risks these pose:
> >
> >1. mod_rewrite allows you to hide scripts as images or other file
> >types.
>
> I'll give you that--but we don't take away cars, guns, booze or steak
> knives because in the wrong conditions they can be dangerous to others.
> Hell, why don't we just take away the Internet altogether since it poses a
> great potential security risk?

But if the manufacture of the steak knife, booze and car had a very
high degree of legal likability for the damage you cause with them, or
if they where paying the bills for you to use them, they wouldn't be
so caviller about handing them out, now would they? In this day and
age with how Internet is and laws surrounding it an ISP could be
legally liable if their network causes damage or theft from someone
else, even if it wasn't their fault. Likewise their name could be
associated with criminal activities, also death to a company.

> >2. .htaccess if not restricted can modify lots of apache variables.
>
> But your argument has been that only complete idiots allow .htaccess. I
> disagree, I have used -several- web hosts over the years that intuitively
> allow .htaccess to give the user maximum control without endangering
> others. Yes, if you don't know what you're doing, giving a user .htaccess
> poses a huge risk -- but we're not talking about some novice hosting out
> his own computer. We're talking professional grade web hosting. Anyone
> who knows what they're doing is going to go with a web host who knows -at
> least as well- what they are doing -- and they're going to provide these
> features and they're going to provide them in a manner that offers power,
> flexibility AND security.

I've been saying all along that even highly restrictive web hosts
allow basic .htaccess use, but they restrict what variables you can
modify in them. Its not a question if .htaccess is available because
it almost always is, but I've never had webhosting (and yes I've had
plenty of hosts) that allowed one to say enable an apache mod or
change what extensions are executed as scripts. Even now a days Its
harder to find a webhost that will allow you to turn cgi execution on
in custom directories.

> The problem I see in this thread is that you're terribly paranoid without
> bothering to inject some data. How many web hosts have you used and to
> what capacity? I mean no offense in saying I believe you're quite aware of
> -potential- security holes but are completely unaware of how many
> professionals know how to deal with these potential risks WITHOUT
> completely witholding from their users.

I've used probably hundreds of different web hosts, I do web
programming for a living, freelance. Although I have a rare ocasion to
actually use something like mod_rewrite, but I'm aware its not enabled
on many systems, and like I've said I've never encountered a webhost
that allowed you to change what files execute as scripts. Quite
possibly the larger isps don't allow you to do it because say if you
made .html execute as a script it would increese the cpu/proccessing
load of the server since it would have to execute every .html file it
serves.

> >3. You are correct that a very well setup and security tight box, that
> >these features pose little or no threat. But most people don't have
> >the time to keep up with every little security trend and bug and may
> >not know every little trick to secure and restrict these features.
>
> Again, I'm not talking about John Doe hosting me on his home computing.
> I'm talking about professional web hosting--firms which are largely more
> competent than you give them credit for.

I do give them credit, but most don't give loads of access to things
on shared systems. If you have your own server or virtual server, of
course you get more access, but for a simple virtually hosted webpage
account your not going to get tons of access to the system, plus of
course your data is less private.

> >4. Directory security, many web servers are setup so that any user can
> >browse and access basicly any file on the system.
>
> You use sweaping terms like "many" and "most" but don't bother mentioning
> any. I'm not going to go off any more, I'm just going to re-reference my
> prior text in this post. You're terribly paranoid and completely out of
> touch with modern professional web hosting.

I'd venture most would allow you to browse directory structure, even
if your ftp is limited. If you upload a php file directory script that
lets you browse anywhere you want you can discover lots of things.
Likewise you'd be able to get into other users home directories, since
usualy Apache is setup to require world readablity for web share
directories.

> I'm guessing you're operating under the knowledge of security bulletins and
> don't actually sample the technology yourself.

I'm guessing that you live in a bubble or have your own servers. ;-)

Name some MAJOR web hosting companies that let you change what files
are executed as scripts in a .htaccess file.